vulnerability research & proof-of-concept code
argv[0] against the allow-list; argv[1..N]
pass unfiltered to execvpe(). On cPanel + exim: sandboxed
PHP tenant → sendmail -be '${run{cmd}}' → arbitrary command
execution outside the namespace sandbox. All OLS versions with namespace
sandbox through current (v1.9.1).
cronCommand injection +
unvalidated phpPath arbitrary file write as root.
Write /etc/ld.so.preload → next root fork+exec loads attacker
.so → uid=0 in under 5 seconds. Any authenticated user who owns a website.
All CyberPanel versions through current.
:path pseudo-header
splits one HTTP/2 request into two HTTP/1.1 requests on proxied backends.
Bypass URL routing, reach unexposed endpoints, desync responses.
All OLS reverse-proxy deployments < 1.9.1 affected.